Biegral Blog

         之前介绍过利用valgrind来定位内存泄漏（慢性病， 会导致程序在某个不确定的时刻异常）， 本文我们来简要介绍利用valgrind来定位内存的重复释放（急性病， 会报纸程序崩溃）。 看程序：

#include <stdio.h>
#include <stdlib.h>
#include <memory.h>

int main()
{
	char *p = (char *)malloc(30);
	free(p);
	free(p);

    return 0;
}

       我们用valgrind来检测一下：

[root@xxx ~/valgrind-3.8.1/bin]# g++ -g test.cpp
[root@xxx ~/valgrind-3.8.1/bin]# 
[root@xxx ~/valgrind-3.8.1/bin]# ./valgrind --tool=memcheck --leak-check=yes --show-reachable=yes ./a.out
==18229== Memcheck, a memory error detector
==18229== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==18229== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==18229== Command: ./a.out
==18229== 
==18229== Invalid free() / delete / delete[] / realloc()
==18229==    at 0x4C27300: free (vg_replace_malloc.c:446)
==18229==    by 0x400611: main (test.cpp:9)
==18229==  Address 0x5d84040 is 0 bytes inside a block of size 30 free'd
==18229==    at 0x4C27300: free (vg_replace_malloc.c:446)
==18229==    by 0x400605: main (test.cpp:8)
==18229== 
==18229== 
==18229== HEAP SUMMARY:
==18229==     in use at exit: 0 bytes in 0 blocks
==18229==   total heap usage: 1 allocs, 2 frees, 30 bytes allocated
==18229== 
==18229== All heap blocks were freed -- no leaks are possible
==18229== 
==18229== For counts of detected and suppressed errors, rerun with: -v
==18229== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 6 from 6)
[root@xxx ~/valgrind-3.8.1/bin]# 

      很容易看到， 第9行错误释放（重复释放）。 如果直接执行a.out程序， 会出现什么问题呢？  程序直接崩溃了， abort了， 如下：

[root@xxx ~/valgrind-3.8.1/bin]# ./a.out 
*** glibc detected *** ./a.out: double free or corruption (fasttop): 0x00000000011b1010 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75e66)[0x7f9877755e66]
./a.out[0x400612]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f98776fed5d]
./a.out[0x400529]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fd:01 562221                             /root/valgrind-3.8.1/bin/a.out
00600000-00601000 rw-p 00000000 fd:01 562221                             /root/valgrind-3.8.1/bin/a.out
011b1000-011d2000 rw-p 00000000 00:00 0                                  [heap]
7f98772bf000-7f98772d6000 r-xp 00000000 fd:01 309668                     /lib64/libpthread-2.12.so
7f98772d6000-7f98774d6000 ---p 00017000 fd:01 309668                     /lib64/libpthread-2.12.so
7f98774d6000-7f98774d7000 r--p 00017000 fd:01 309668                     /lib64/libpthread-2.12.so
7f98774d7000-7f98774d8000 rw-p 00018000 fd:01 309668                     /lib64/libpthread-2.12.so
7f98774d8000-7f98774dc000 rw-p 00000000 00:00 0 
7f98774dc000-7f98774de000 r-xp 00000000 fd:01 309538                     /lib64/libdl-2.12.so
7f98774de000-7f98776de000 ---p 00002000 fd:01 309538                     /lib64/libdl-2.12.so
7f98776de000-7f98776df000 r--p 00002000 fd:01 309538                     /lib64/libdl-2.12.so
7f98776df000-7f98776e0000 rw-p 00003000 fd:01 309538                     /lib64/libdl-2.12.so
7f98776e0000-7f987786a000 r-xp 00000000 fd:01 309509                     /lib64/libc-2.12.so
7f987786a000-7f9877a6a000 ---p 0018a000 fd:01 309509                     /lib64/libc-2.12.so
7f9877a6a000-7f9877a6e000 r--p 0018a000 fd:01 309509                     /lib64/libc-2.12.so
7f9877a6e000-7f9877a6f000 rw-p 0018e000 fd:01 309509                     /lib64/libc-2.12.so
7f9877a6f000-7f9877a74000 rw-p 00000000 00:00 0 
7f9877a74000-7f9877a8a000 r-xp 00000000 fd:01 309558                     /lib64/libgcc_s-4.4.6-20110824.so.1
7f9877a8a000-7f9877c89000 ---p 00016000 fd:01 309558                     /lib64/libgcc_s-4.4.6-20110824.so.1
7f9877c89000-7f9877c8a000 rw-p 00015000 fd:01 309558                     /lib64/libgcc_s-4.4.6-20110824.so.1
7f9877c8a000-7f9877d0d000 r-xp 00000000 fd:01 309608                     /lib64/libm-2.12.so
7f9877d0d000-7f9877f0c000 ---p 00083000 fd:01 309608                     /lib64/libm-2.12.so
7f9877f0c000-7f9877f0d000 r--p 00082000 fd:01 309608                     /lib64/libm-2.12.so
7f9877f0d000-7f9877f0e000 rw-p 00083000 fd:01 309608                     /lib64/libm-2.12.so
7f9877f0e000-7f9877ff6000 r-xp 00000000 fd:01 171070                     /usr/lib64/libstdc++.so.6.0.13
7f9877ff6000-7f98781f6000 ---p 000e8000 fd:01 171070                     /usr/lib64/libstdc++.so.6.0.13
7f98781f6000-7f98781fd000 r--p 000e8000 fd:01 171070                     /usr/lib64/libstdc++.so.6.0.13
7f98781fd000-7f98781ff000 rw-p 000ef000 fd:01 171070                     /usr/lib64/libstdc++.so.6.0.13
7f98781ff000-7f9878214000 rw-p 00000000 00:00 0 
7f9878214000-7f9878234000 r-xp 00000000 fd:01 309485                     /lib64/ld-2.12.so
7f987830f000-7f9878314000 rw-p 00000000 00:00 0 
7f9878322000-7f9878323000 rw-p 00000000 00:00 0 
7f9878323000-7f9878326000 r-xp 00000000 fd:01 309900                     /lib64/libonion_security.so.1.0.13
7f9878326000-7f9878426000 ---p 00003000 fd:01 309900                     /lib64/libonion_security.so.1.0.13
7f9878426000-7f9878427000 rw-p 00003000 fd:01 309900                     /lib64/libonion_security.so.1.0.13
7f9878427000-7f9878433000 rw-p 00000000 00:00 0 
7f9878433000-7f9878434000 r--p 0001f000 fd:01 309485                     /lib64/ld-2.12.so
7f9878434000-7f9878435000 rw-p 00020000 fd:01 309485                     /lib64/ld-2.12.so
7f9878435000-7f9878436000 rw-p 00000000 00:00 0 
7fffc2f9b000-7fffc2fbc000 rw-p 00000000 00:00 0                          [stack]
7fffc2ffe000-7fffc3000000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
[root@xxx ~/valgrind-3.8.1/bin]# 

      

       如果是这种程序呢？

#include <stdio.h>
#include <stdlib.h>
#include <memory.h>

int main()
{
	char szTest[100] = {0};
	char *p = szTest;
	free(p);

    return 0;
}

      编译运行一下：

[root@xxx ~/valgrind-3.8.1/bin]# g++ -g test.cpp
[root@xxx ~/valgrind-3.8.1/bin]# ./a.out 
Segmentation fault
[root@xxx ~/valgrind-3.8.1/bin]# ulimit -c unlimited
[root@xxx ~/valgrind-3.8.1/bin]# ./a.out 
Segmentation fault (core dumped)
[root@xxx ~/valgrind-3.8.1/bin]# 
[root@xxx ~/valgrind-3.8.1/bin]# 
[root@xxx ~/valgrind-3.8.1/bin]# 
[root@xxx ~/valgrind-3.8.1/bin]# ./valgrind --tool=memcheck --leak-check=yes --show-reachable=yes ./a.out
==22452== Memcheck, a memory error detector
==22452== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==22452== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==22452== Command: ./a.out
==22452== 
==22452== Invalid free() / delete / delete[] / realloc()
==22452==    at 0x4C27300: free (vg_replace_malloc.c:446)
==22452==    by 0x4005DC: main (test.cpp:9)
==22452==  Address 0x7ff000470 is on thread 1's stack
==22452== 
==22452== 
==22452== HEAP SUMMARY:
==22452==     in use at exit: 0 bytes in 0 blocks
==22452==   total heap usage: 0 allocs, 1 frees, 0 bytes allocated
==22452== 
==22452== All heap blocks were freed -- no leaks are possible
==22452== 
==22452== For counts of detected and suppressed errors, rerun with: -v
==22452== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 6 from 6)
[root@xxx ~/valgrind-3.8.1/bin]# 

      可以看到， 程序直接崩溃， segment fault了， 如果打开core开关， 看可以看到core dump的文件。 在这种情况下， 我们也可以利用valgrind来检测。

      OK, 先说这么多。